CN101662768B - Authenticating method and equipment based on user identification module of personal handy phone system - Google Patents
Authenticating method and equipment based on user identification module of personal handy phone system Download PDFInfo
- Publication number
- CN101662768B CN101662768B CN200810214603.6A CN200810214603A CN101662768B CN 101662768 B CN101662768 B CN 101662768B CN 200810214603 A CN200810214603 A CN 200810214603A CN 101662768 B CN101662768 B CN 101662768B
- Authority
- CN
- China
- Prior art keywords
- authentication
- network
- identification information
- subscriber equipment
- authentication result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides an authenticating method of a wireless local area network based on a user identification module of a personal handy phone system, comprising the steps: responding to an authenticating enquiry from a network; transmitting first identification information stored in the user identification module to the network; obtaining an authenticating triad in the network based on the first identification information, wherein the authenticating triad comprises a random number for authentication, a first authenticating result and second identification information which is matched with the first identification information and is distributed to the user equipment in advance by the network; transmitting the random number to the user equipment from the network; computing a second authenticating result by the random number and an authenticating key stored in the user identification module in the user equipment; transmitting the second authenticating result to the network and transmitting access admission information to the user equipment from the network when the first authenticating result is matched with the second authenticating result.
Description
Technical field
A kind of authentication method of relate generally to of the present invention and equipment, and be particularly related to the method and apparatus that carries out 802.1x WLAN (wireless local area network) (WLAN) access authentication based on the Subscriber Identity Module (SIM) of personal handyphone system (PHS).
Background technology
For current Mobile business professional person, be one of wealth of most worthy to the seamless access of modern handle official bussiness instrument.But limited bandwidth has but hindered the popularization of a lot of application, and for example the electronic mail is downloaded, video conference etc.WLAN provides to the terminal use will good bandwidth than any other wireless technology (comprising the PHS grouping system).Yet, operator's but Problems when the Wi-Fi equipment to the terminal use authenticates.
Extensible Authentication Protocol-Subscriber Identity Module (EAP-SIM) solution based on GPRS (GPRS) is the best existing solution that authenticates for the Wi-Fi end user device.Fig. 1 has provided the overall network architecture 100 for GPRS EAP-SIM solution.In the WLAN of the operator architecture based on global system for mobile communications-Subscriber Identity Module (GSM-SIM), as shown in Figure 1, GSM terminal 101 can participate in radio communication via GPRS resident's Access Network (RAN) 110 by the base station 111 of GSM, and obtains the support to the business such as the related communication such as voice service, low-speed data service.On the other hand, Wi-Fi terminal 102 can be linked in IP network 103 such as the internet via public access wireless LAN 120 by contiguous access point (AP) 121, obtains the support such as related communication business such as high-speed data services thus.
When Wi-Fi terminal 102 wishes to be linked into IP network 103 by WLAN, need to obtain the authentication of operator, access the wlan network of this operator to prevent unwarranted Wi-Fi terminal use.For the operator that has GSM network and wlan network, when operator had adopted WLAN access authentication scheme based on GSM-SIM, Wi-Fi terminal 102 can utilize its SIM card of using in the GSM network to ask to obtain the access permission of wlan network.For example, Wi-Fi terminal 102 can send the needed information of authentication to certificate server 131 by access controller (AC) 122 in WLAN.Whether the verify data that certificate server 131 utilizations obtain from mobile switching centre/attaching position register (MSC/HLR) 132 can access wlan network to Wi-Fi terminal 102 authenticates, thereby make the user its GSM network and wlan network can be carried out combination, and the GSM carrier can prevent that also unwarranted Wi-Fi terminal use from accessing this GSM carrier's wlan network.But this solution but can not be used for not having the operator of gprs system or GSM network, for example China Netcom and China Telecom.For existing solution based on GSM-SIM, operator must have GSM network and GSM terminal.This is bottlenecks for those operators that there is no the GSM network.
Therefore, need a kind of authentication solution, it can make the operator that there is no the GSM network, and for example PHS operator, can prevent that unwarranted Wi-Fi terminal use from accessing the wlan network of this operator.
Summary of the invention
According to a first aspect of the invention, a kind of authentication method for subscriber equipment is provided, its Subscriber Identity Module based on personal handyphone system carries out access authentication of WLAN, said method comprising the steps of: in response to the authentication of coming automatic network, the first identification information of described subscriber equipment is sent to described network, wherein, in the described Subscriber Identity Module of described the first identification information storage in described subscriber equipment; Receive the random number that is used for authentication from described network, wherein, described random number comes from authentication triplets, and described authentication triplets also comprises the first authentication result and allocates the second identification information to described subscriber equipment with described the first identification information is complementary in advance by described network; Based on predetermined identifying algorithm, the authenticate key in described subscriber equipment place utilizes described random number and is stored in described Subscriber Identity Module calculates the second authentication result; Described the second authentication result is sent to described network; And when described the first authentication result and described the second authentication result coupling, receive the access permission message from described network.
According to a second aspect of the invention, a kind of subscriber equipment for authentication is provided, its Subscriber Identity Module based on personal handyphone system carries out access authentication of WLAN, described subscriber equipment comprises: Subscriber Identity Module, and it is used for storing the first identification information and the authenticate key of described subscriber equipment; The identification information sending module, it is used in response to the authentication of coming automatic network, and described the first identification information is sent to described network; The authentication information receiver module, it is used for receiving from described network the random number that is used for authentication, wherein, described random number comes from authentication triplets, and described authentication triplets also comprises the first authentication result and allocates the second identification information to described subscriber equipment with described the first identification information is complementary in advance by described network; Computing module, it is used for based on predetermined identifying algorithm, utilizes described random number and described authenticate key to calculate the second authentication result; The authentication result sending module, it is used for described the second authentication result is sent to described network; And access message sink module, it is used for receiving the access permission message from described network when described the first authentication result and described the second authentication result coupling.
According to a third aspect of the invention we, a kind of authentication method for the network equipment is provided, its Subscriber Identity Module based on personal handyphone system carries out access authentication of WLAN, said method comprising the steps of: from first identification information of subscriber equipment reception in response to the authentication of network, in the described Subscriber Identity Module of wherein said the first identification information storage in described subscriber equipment; Obtain authentication triplets based on described the first identification information, wherein said authentication triplets comprises random number, the first authentication result for authentication, and allocates the second identification information to described subscriber equipment with described the first identification information is complementary in advance by described network; Send described random number to described subscriber equipment; Receive the second authentication result from described subscriber equipment, wherein said the second authentication result is based on predetermined identifying algorithm and utilizes described random number and be stored in that authenticate key in described Subscriber Identity Module calculates; And when described the first authentication result and described the second authentication result coupling, send access permission message to described subscriber equipment.
According to a forth aspect of the invention, a kind of network equipment for authentication is provided, its Subscriber Identity Module based on personal handyphone system carries out access authentication of WLAN, the described network equipment comprises: the identification information receiver module, it is used for from first identification information of subscriber equipment reception in response to the authentication of network, in the described Subscriber Identity Module of wherein said the first identification information storage in described subscriber equipment; Authentication module, it is used for obtaining authentication triplets based on described the first identification information, wherein said authentication triplets comprises random number, the first authentication result for authentication, and allocates the second identification information to described subscriber equipment with described the first identification information is complementary in advance by described network; The authentication information sending module, it is used for sending described random number to described subscriber equipment; The authentication result receiver module, it is used for receiving the second authentication result from described subscriber equipment, and wherein said the second authentication result is based on predetermined identifying algorithm and utilizes described random number and be stored in that authenticate key in described Subscriber Identity Module calculates; And the access message transmission module, it is used for sending access permission message to described subscriber equipment when described the first authentication result and described the second authentication result coupling.
According to a fifth aspect of the invention, a kind of authentication method is provided, its Subscriber Identity Module based on personal handyphone system carries out access authentication of WLAN, said method comprising the steps of: in response to the authentication of coming automatic network, the first identification information of subscriber equipment is sent to described network from described subscriber equipment, wherein, in the described Subscriber Identity Module of described the first identification information storage in described subscriber equipment; Based on described the first identification information, the place obtains authentication triplets at described network, wherein said authentication triplets comprises random number, the first authentication result for authentication, and allocates the second identification information to described subscriber equipment with described the first identification information is complementary in advance by described network; Send described random number from described network to described subscriber equipment; Based on predetermined identifying algorithm, the authenticate key in described subscriber equipment place utilizes described random number and is stored in described Subscriber Identity Module calculates the second authentication result; Described the second authentication result is sent to described network from described subscriber equipment; And when described the first authentication result and described the second authentication result coupling, send access permission message from described network to described subscriber equipment.
Description of drawings
Set forth novel features of the present invention in claims.When read in conjunction with the accompanying drawings, by with reference to following detailed description to illustrative embodiment, will understand best the present invention itself and preferably use pattern, and further purpose and advantage, in the accompanying drawings:
Fig. 1 shows in prior art the WLAN of the operator architecture based on GSM-SIM;
Fig. 2 shows the WLAN of operator architecture based on PHS-SIM according to exemplary embodiment of the present invention;
Fig. 3 has illustrated according to exemplary embodiment of the present invention and has been used for realization based on the flow chart of the WLAN access authentication method of PHS-SIM;
Fig. 4 has illustrated access to the identification information in the PHS packet card according to exemplary embodiment of the present invention;
Fig. 5 has illustrated access to the authentication result in the PHS packet card according to exemplary embodiment of the present invention;
Fig. 6 shows the message flow of realizing the WLAN access authentication according to exemplary embodiment of the present invention; And
Fig. 7 has illustrated according to exemplary embodiment of the present invention and has been used for realization based on the system of the WLAN access authentication of PHS-SIM.
Embodiment
Describe below with reference to accompanying drawings embodiments of the invention in detail.Run through this specification, refer to feature, advantage or similarly wording be not mean all feature ﹠ benefits that can utilize the present invention and realize should or in any single embodiment of the present invention.On the contrary, be appreciated that the wording that relates to feature ﹠ benefits means that described in conjunction with the embodiments specific features, advantage or characteristic comprise at least one embodiment of the present invention.Thereby, run through this specification, to the discussion of feature and advantage and similarly wording can refer to same embodiment, but the same embodiment of the definiteness that differs.In addition, described feature of the present invention, advantage and characteristic can merge in one or more embodiments in any suitable manner.Those skilled in the relevant art will recognize that, can be in the situation that do not have one or more specific features or the advantage of specific embodiment to put into practice the present invention.In other example, can realize in certain embodiments the feature and advantage of adding, it not necessarily comes across among all embodiment of the present invention.
In order to make operator with GSM network (for example PHS operator) can prevent that unwarranted Wi-Fi terminal use from accessing the wlan network of this operator, the present invention has provided the 802.1x authentication solution based on the PHS packet card.The present invention can be applicable to have all operators of PHS network and wlan network.Solution of the present invention based on be 802.1x authentication and the control framework that is called as EAP.It uses PHS-SIM unique user ID of GSM-SIM as an alternative.The data of the WLAN that is useful on authentication all be stored in PHS-SIM, PHS-SIM has been integrated in the PHS packet card.When the terminal use wants by its Wi-Fi equipment access WLAN, access controller element (AC) will start the EAP verification process.Application on terminal (for example software program) resides at retrieval the desired data in the PHS packet card and access controller is responded.After the EAP authentication success, terminal will begin to start DHCP (DHCP) process, so that dynamic obtaining IP address, and can access IP network or internet thus.
Fig. 2 shows the WLAN of operator architecture 200 based on PHS-SIM according to exemplary embodiment of the present invention.As shown in Figure 2, the phs terminal 201 in this architecture 200 can participate in data communication via PHS RAN210, and the Wi-Fi terminal 202 with PHS packet card can be linked into via public WLAN220 in IP network 203 such as the internet.In addition, in a further exemplary embodiment, for instance, the Wi-Fi terminal 202 with PHS packet card can also access IP network or internet by PHS RAN210, and it can realize seamless switching.In architecture 200 illustrated in fig. 2, PHS packet data server (PDS) 233 serves as the gateway of PHS data terminal, so that access IP data network or internet, similar Serving GPRS Support Node/Gateway GPRS Support Node for GPRS network (SGSN/GGSN), as shown in Figure 1.If the PHS user data is integrated in PDS233, the PDS233 data that will directly be provided for authenticating to certificate server (AS) 231, for example authentication triplets.Otherwise PDS233 will forward authentication triplets request and response (utilizing Signaling System 7(SS-7) 237) as relaying between AS231 and PHS switching center/attaching position register (PSC/HLR) 232, as shown in the dotted line in Fig. 2.
According to exemplary embodiment of the present invention, when Wi-Fi terminal 202 wishes to be linked into IP network by WLAN, need to obtain the authentication of operator, access the wlan network of this operator to prevent unwarranted Wi-Fi terminal use.For the operator that has PHS network and wlan network, when operator had adopted the WLAN certificate scheme based on PHS-SIM of the present invention, Wi-Fi terminal 202 can utilize its PHS packet card of using in the PHS network to ask to obtain the access permission of wlan network.For example, Wi-Fi terminal 202 can send the needed information of authentication to certificate server 231 by AC222.Certificate server 231 utilizes from PDS233 (when its integrated PHS user data) and obtains or forward and the verify data of acquisition via PDS233 from PSC/HLR232, whether can access wlan network to Wi-Fi terminal 202 authenticates, thereby make PHS operator its PHS packet network and wlan network can be carried out seamless combination, and the terminal use can be in the situation that need not to change its terminal equipment by WLAN interface or PHS interface access IP network.Utilize the present invention, PHS operator can prevent that unwarranted Wi-Fi terminal use from accessing the wlan network that it has.
Following indicative flowchart is generally set forth as logical flow chart.Therefore, the step of shown order and institute's mark represents an embodiment of the method that proposes.Can expect other step and method in the one or more steps or its part that are equivalent to described method aspect function, logic OR effect.In addition, the form that adopts and symbol provide for the logic step of explaining the method, and are understood to not limit the scope of the method.Although can adopt various arrow types and the line style of type in flow chart, yet they are understood to not limit the scope of corresponding method.In fact, some arrow or other connector may only be used to indicate the logic flow of the method.For example, the wait of unspecified duration or supervision phase between the listed step of method shown in arrow can be indicated.In addition, the order that ad hoc approach occurs can in strict accordance with shown in the order of corresponding step, perhaps, can be not in strict accordance with shown in the order of corresponding step.
Fig. 3 has illustrated according to exemplary embodiment of the present invention to be used for realization based on the flow chart of the WLAN access authentication method of PHS-SIM.The verification process of the method based on be EAP process for 802.1x, this process starts from when such as the wlan network of the user equipment requests of Wi-Fi terminal 202 access such as public WLAN222, at this moment, this wlan network can carry out authentication to the subscriber equipment of initiating request.In step 302, in response to the authentication of coming automatic network, subscriber equipment will be sent to this network such as the first identification information of cell phone apparatus number (PSEN), this first identification information carries out unique identification to this subscriber equipment, and it can be stored in the interior Subscriber Identity Module (for example PHS packet card) of this subscriber equipment.
In step 304, the certificate server in network (for example, the AS231 in Fig. 2) obtains authentication triplets based on the first identification information that receives from subscriber equipment.For instance, authentication triplets can have three fields: (PSEN, RandomNumber, AuthResult), it represents respectively to be allocated in advance the second identification information to this subscriber equipment, be used for the random number of authentication by network with the first identification information is complementary, and the first authentication result (it is used for comparing according to the second authentication result that the authentication random number calculates with subscriber equipment).If PDS is integrated user data, authentication triplets is provided by PDS (for example, the PHS PDS233 in Fig. 2).If PDS does not have integrated HLR (it contains user data), authentication triplets is provided by PSC/HLR (for example, the PSC/HLR232 in Fig. 2).
In step 306, this network sends the random number in the authentication triplets that obtains to subscriber equipment.Subscriber equipment can be based on predetermined identifying algorithm, for example Feal32 or Stephi, and calculate the second authentication result (as shown in step 308) according to received random number and the authenticate key that is stored in Subscriber Identity Module, in order in step 310, the second authentication result is sent to network, be used for comparing from the first authentication result that authentication triplets obtains with certificate server.In step 312, when certificate server is confirmed the first authentication result and the second authentication result coupling, just can send access permission message (as shown in step 314) to this subscriber equipment.After this, accessible this network of subscriber equipment.If the first authentication result and the second authentication result are not mated in step 312, certificate server sends access-reject message (as shown in step 316) to subscriber equipment, and this access authentication procedure finishes in step 318.
More than described and be used for according to an embodiment of the invention realization based on the WLAN access authentication method of PHS-SIM.Should be pointed out that described method only is example, rather than limitation of the present invention.Of the present invention more, still less or different steps for realizing that WLAN access authentication method based on PHS-SIM can have, more described steps can be merged into single step or be divided into thinner step, but and the order between some steps can change or executed in parallel.
Fig. 4 has illustrated access to the identification information in PHS packet card 410 according to exemplary embodiment of the present invention.As shown in Figure 4, preserved special data block PHS grouped data card 410 is interior, this data block is called as profile data piece (PDB) 411 in the text.For the storage of Wi-Fi end message, PSEN and authenticate key are the requisite information that is stored in this data block.PSEN (it is as terminal iidentification) is used for from PDS or PSC/HLR access authentication tlv triple by certificate server (for example AS231 in Fig. 2).Terminal can be used authenticate key, and calculates authentication result based on the random number that receives from certificate server.When terminal 420 wished to obtain its identification information PSEN, PHS packet card 410 need to provide first interface to the OS driver, i.e. the PSEN access interface.Using 421 can be by obtaining this PSEN information such as the such API of ReadPDB () (API).
Use the mode of authenticate key fully different from the mode of using PSEN.For PSEN, can provide simple API (for example, ReadPDB ()) to OS by the card driver.Using 421 will call this API and then directly obtain PSEN.But for authenticate key, for safety problem, it can not directly be read out by API.
Fig. 5 has illustrated access to the authentication result in PHS packet card 410 according to exemplary embodiment of the present invention.As shown in Figure 5, based on the algorithm of secret personal identification number code (PIN) as key, using 421 can present to PHS packet card 410 by the authentication random number R andomNumber of the second interface (namely such as another API of the GetSRES (RAND)) automatic network in future, and then this packet card 410 will be by choosing identifying algorithm and calculating irreversible authentication result SRES based on authenticate key.The algorithm matrix 412 must with PDS or PSC/HLR on the algorithm matrix coupling.In exemplary embodiment of the present invention, choose Feal32 and/or Stephi as identifying algorithm, it has been widely used in the PHS network.
Fig. 6 shows the message flow of realizing the WLAN access authentication according to exemplary embodiment of the present invention.Can be connected to AC (for example AC222 in Fig. 2) via contiguous AP such as the such subscriber equipment (STA) of the Wi-Fi terminal 202 in Fig. 2, and obtain access authentication by communicating by letter between AC and AS.As an example, AP and AC use the authentication protocol of EAPoL (based on the EAP of LAN), and AS and PDS or PSC/HLR use the authentication protocol of EAPoR (based on the EAP of RADIUS), as shown in Figure 6.
When subscriber equipment STA wished to access network such as WLAN, it sent authentication request message 601 to AC, thereby starts access authentication procedure.AC can carry out authentication 602 to STA when the authentication request that receives from STA, in order to obtain the identification information of subscriber equipment.In response to the authentication from AC, STA obtains 603 and is used for self is carried out the uniquely identified identification information, for example obtains PSEN from its Subscriber Identity Module (PHS packet card), and sends to AC as response 604 this identification information.In message 605, AC will be sent to AS from the identification information that STA receives, so that the access authentication of subscriber equipment is carried out in request.For the STA that initiates request is carried out access authentication, AS need to obtain the authentication information about this equipment.Therefore, by message 606, the authentication triplets that the customer equipment identification information that the AS utilization receives from AC obtains to be complementary.At this moment, PDS or PSC/HLR need to provide authentication triplets to AS, and can authenticate the Wi-Fi terminal use.When PHS/PDS integrated HLR and when having relevant user profile, authentication triplets can offer AS by PHS/PDS.If PHS/PDS does not have integrated HLR, can will be transmitted to AS from the authentication triplets of HLR by this PHS/PDS so.Except being allocated in advance identification information to this subscriber equipment by Virtual network operator that the identification information that provides with subscriber equipment is complementary, also comprise in the authentication triplets that obtains be used to the random parameter RAND that carries out access authentication and the first authentication result.In message 609, AS sends to AC with random parameter RAND, and then AC returns to STA with this random parameter RAND in message 610, so that STA authenticates.STA presents packet card/Subscriber Identity Module to PHS with the random number that obtains, and based on predetermined identifying algorithm (for example Feal32 or Stephi), the authenticate key that utilizes this random number and be stored in Subscriber Identity Module obtains local authentication result 611 (for example, using GetSRES () API).Then STA offers AC with this authentication result in message 612, and AC is sent to AS with this authentication result in message 613.AS will compare from the AC authentication result that receives and the authentication result that before obtains from authentication triplets, if both mate, AS sends access permission message 614a to AC, otherwise sends access-reject message 614b.AC will access successfully or failure 615 returns to STA, complete thus the access authentication to STA.
In another exemplary embodiment of the present invention, after subscriber equipment STA realizes the authentication of access level, it can also realize such as other other verification process 616 of level such as application layer, and for instance, the user can obtain relevant authentication by input username and password etc.After the EAP authentication success, subscriber equipment can further be realized dhcp process 617, and then it can access IP network or internet, carries out thus corresponding accounting request 618 and obtains charging response 619.
Fig. 7 has illustrated according to exemplary embodiment of the present invention and has been used for realization based on the system block diagram 700 of the WLAN access authentication of PHS-SIM.It should be noted that Fig. 7 only schematically shows subscriber equipment 710 and the network equipment 720 and the main modular thereof that participates in the WLAN access authentication.Should be pointed out that described subscriber equipment 710 and the network equipment 720 only are example, rather than limitation of the present invention.Subscriber equipment 710 of the present invention and the network equipment 720 can have more, still less or different functional modules than described, more described functional modules can combine, or Further Division, or have different annexations and inclusion relation, within all these variations all are in the spirit and scope of the present invention.
As shown in Figure 7, subscriber equipment 710 comprises Subscriber Identity Module 711, identification information sending module 712, authentication information receiver module 713, computing module 714, authentication result sending module 715, and access message sink module 716.Subscriber Identity Module 711 is used for unique identification information and the authenticate key of storage subscriber equipment 710.In response to the authentication of coming automatic network, identification information sending module 712 sends to the network equipment 720 with the unique identification information (for example PSEN) of subscriber equipment 710.Authentication information receiver module 713 is used for receiving from the network equipment 720 random number that is used for authentication.Utilize the random number and the interior authenticate key of Subscriber Identity Module 711 that receive, computing module 714 calculates user's side authentication result based on predetermined identifying algorithm.Authentication result sending module 715 sends to the network equipment 720 with this authentication result.When network side authentication result and user's side authentication result coupling, the access permission message that access message sink module 716 can receive from the network equipment 720.
The network equipment 720 comprises identification information receiver module 721, authentication module 722, authentication information sending module 723, authentication result receiver module 724, and access message transmission module 725.When subscriber equipment 710 had sent its unique identification information to the network equipment 720, receiver module 721 received the identification information of this subscriber equipment.Authentication module 722 obtains authentication triplets based on this identification information, wherein authentication triplets comprises random number, the network side authentication result for authentication, and allocates identification information to subscriber equipment with identification information that subscriber equipment 710 provides is complementary in advance by network.In order to carry out access authentication of user, the authentication information sending module 723 of the network equipment 720 sends this random number to subscriber equipment 710, and receives user's side authentication result by authentication result receiver module 724 from subscriber equipment 710.When user's side authentication result and network side authentication result coupling, access message transmission module 725 sends access permission message to subscriber equipment 710.Otherwise access message transmission module 725 sends access-reject message to subscriber equipment 710.
Can realize the present invention with the mode of hardware, software, firmware or its combination.Any computer system or other device that are suitable for realizing the method described in literary composition are all suitable.A kind of combination of typical hardware and software can be the general-purpose computing system that contains computer program, when this computer program is loaded and carries out, it is controlled this computer system and makes it carry out the step of the method described in literary composition, perhaps consists of the functional module in devices in accordance with embodiments of the present invention and system.
The present invention can also be embodied in computer program, this computer program contains all features that make it possible to realize the method described in literary composition, and when it is loaded in computer system, can carry out these methods, perhaps consist of the functional module in devices in accordance with embodiments of the present invention and system.
Although disclose specific embodiments of the invention, yet will be understood by those skilled in the art that in the situation that do not deviate from the spirit and scope of the present invention and can change specific embodiment.Therefore, scope of the present invention is not limited to specific embodiment, and it is intended to claims and contains any in the scope of the invention and application, modification and embodiment that all are such.
Claims (25)
1. authentication method that is used for subscriber equipment, its Subscriber Identity Module based on personal handyphone system carries out access authentication of WLAN, said method comprising the steps of:
In response to the authentication of coming automatic network, the first identification information of described subscriber equipment is sent to described network, wherein, in the described Subscriber Identity Module of described the first identification information storage in described subscriber equipment;
Receive the random number that is used for authentication from described network, wherein, described random number comes from authentication triplets, and described authentication triplets also comprises the first authentication result and allocates the second identification information to described subscriber equipment with described the first identification information is complementary in advance by described network;
Based on predetermined identifying algorithm, the authenticate key in described subscriber equipment place utilizes described random number and is stored in described Subscriber Identity Module calculates the second authentication result;
Described the second authentication result is sent to described network; And
When described the first authentication result and described the second authentication result coupling, receive the access permission message from described network,
Wherein, described authentication is based on the Extensible Authentication Protocol of 802.1x.
2. according to claim 1 method, wherein, described the first identification information directly obtains from described Subscriber Identity Module by first interface.
3. according to claim 1 and 2 method, wherein, calculate described the second authentication result and comprise the following steps:
By the second interface, described random number is fed to described Subscriber Identity Module; And
Obtain described the second authentication result from described Subscriber Identity Module.
4. according to claim 1 and 2 method, wherein, described authentication triplets is that the packet data server by described personal handyphone system provides, described packet data server is integrated user attaching location register.
5. according to claim 1 and 2 method, wherein, described authentication triplets obtains from the forwarding of user attaching location register via the packet data server of described personal handyphone system.
6. according to claim 1 and 2 method, wherein, described identifying algorithm is Feal32 algorithm or Stephi algorithm.
7. subscriber equipment that is used for authentication, its Subscriber Identity Module based on personal handyphone system carries out access authentication of WLAN, and described subscriber equipment comprises:
Subscriber Identity Module, it is used for storing the first identification information and the authenticate key of described subscriber equipment;
The identification information sending module, it is used in response to the authentication of coming automatic network, and described the first identification information is sent to described network;
The authentication information receiver module, it is used for receiving from described network the random number that is used for authentication, wherein, described random number comes from authentication triplets, and described authentication triplets also comprises the first authentication result and allocates the second identification information to described subscriber equipment with described the first identification information is complementary in advance by described network;
Computing module, it is used for based on predetermined identifying algorithm, utilizes described random number and described authenticate key to calculate the second authentication result;
The authentication result sending module, it is used for described the second authentication result is sent to described network; And
Access message sink module, it is used for receiving the access permission message from described network when described the first authentication result and described the second authentication result coupling,
Wherein, described authentication is based on the Extensible Authentication Protocol of 802.1x.
8. according to claim 7 subscriber equipment, it further comprises first interface, is used for directly obtaining described the first identification information from described Subscriber Identity Module.
9. according to claim 7 or 8 subscriber equipment, it further comprises the second interface, is used for described random number is fed to described Subscriber Identity Module, and obtains described the second authentication result from described Subscriber Identity Module.
10. according to claim 7 or 8 subscriber equipment, wherein, described identifying algorithm is Feal32 algorithm or Stephi algorithm.
11. according to claim 7 or 8 subscriber equipment, wherein, described authentication triplets is that the packet data server by described personal handyphone system provides, described packet data server is integrated user attaching location register.
12. according to claim 7 or 8 subscriber equipment, wherein, described authentication triplets obtains from the forwarding of user attaching location register via the packet data server of described personal handyphone system.
13. an authentication method that is used for the network equipment, its Subscriber Identity Module based on personal handyphone system carries out access authentication of WLAN, said method comprising the steps of:
From first identification information of subscriber equipment reception in response to the authentication of network, in the described Subscriber Identity Module of wherein said the first identification information storage in described subscriber equipment;
Obtain authentication triplets based on described the first identification information, wherein said authentication triplets comprises random number, the first authentication result for authentication, and allocates the second identification information to described subscriber equipment with described the first identification information is complementary in advance by described network;
Send described random number to described subscriber equipment;
Receive the second authentication result from described subscriber equipment, wherein said the second authentication result is based on predetermined identifying algorithm and utilizes described random number and be stored in that authenticate key in described Subscriber Identity Module calculates; And
When described the first authentication result and described the second authentication result coupling, send access permission message to described subscriber equipment,
Wherein, described authentication is based on the Extensible Authentication Protocol of 802.1x.
14. method according to claim 13, wherein, described the first identification information directly obtains from described Subscriber Identity Module by first interface.
15. according to claim 13 or 14 method, wherein, described the second authentication result is by being fed to described random number described Subscriber Identity Module via the second interface and obtaining from described Subscriber Identity Module.
16. according to claim 13 or 14 method, wherein, described identifying algorithm is Feal32 algorithm or Stephi algorithm.
17. according to claim 13 or 14 method, wherein, described authentication triplets is that the packet data server by described personal handyphone system provides, described packet data server is integrated user attaching location register.
18. according to claim 13 or 14 method, wherein, described authentication triplets obtains from the forwarding of user attaching location register via the packet data server of described personal handyphone system.
19. a network equipment that is used for authentication, its Subscriber Identity Module based on personal handyphone system carries out access authentication of WLAN, and the described network equipment comprises:
The identification information receiver module, it is used for from first identification information of subscriber equipment reception in response to the authentication of network, in the described Subscriber Identity Module of wherein said the first identification information storage in described subscriber equipment;
Authentication module, it is used for obtaining authentication triplets based on described the first identification information, wherein said authentication triplets comprises random number, the first authentication result for authentication, and allocates the second identification information to described subscriber equipment with described the first identification information is complementary in advance by described network;
The authentication information sending module, it is used for sending described random number to described subscriber equipment;
The authentication result receiver module, it is used for receiving the second authentication result from described subscriber equipment, and wherein said the second authentication result is based on predetermined identifying algorithm and utilizes described random number and be stored in that authenticate key in described Subscriber Identity Module calculates; And
The access message transmission module, it is used for sending access permission message to described subscriber equipment when described the first authentication result and described the second authentication result coupling,
Wherein, described authentication is based on the Extensible Authentication Protocol of 802.1x.
20. the network equipment according to claim 19, wherein, described the first identification information directly obtains from described Subscriber Identity Module by first interface.
21. according to claim 19 or 20 the network equipment, wherein, described the second authentication result is by being fed to described random number described Subscriber Identity Module via the second interface and obtaining from described Subscriber Identity Module.
22. according to claim 19 or 20 the network equipment, wherein, described identifying algorithm is Feal32 algorithm or Stephi algorithm.
23. according to claim 19 or 20 the network equipment, wherein, described authentication triplets is that the packet data server by described personal handyphone system provides, described packet data server is integrated user attaching location register.
24. according to claim 19 or 20 the network equipment, wherein, described authentication triplets obtains from the forwarding of user attaching location register via the packet data server of described personal handyphone system.
25. an authentication method, its Subscriber Identity Module based on personal handyphone system carries out access authentication of WLAN, said method comprising the steps of:
In response to the authentication of coming automatic network, the first identification information of subscriber equipment is sent to described network from described subscriber equipment, wherein, in the described Subscriber Identity Module of described the first identification information storage in described subscriber equipment;
Based on described the first identification information, the place obtains authentication triplets at described network, wherein said authentication triplets comprises random number, the first authentication result for authentication, and allocates the second identification information to described subscriber equipment with described the first identification information is complementary in advance by described network;
Send described random number from described network to described subscriber equipment;
Based on predetermined identifying algorithm, the authenticate key in described subscriber equipment place utilizes described random number and is stored in described Subscriber Identity Module calculates the second authentication result;
Described the second authentication result is sent to described network from described subscriber equipment; And
When described the first authentication result and described the second authentication result coupling, send access permission message from described network to described subscriber equipment,
Wherein, described authentication is based on the Extensible Authentication Protocol of 802.1x.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810214603.6A CN101662768B (en) | 2008-08-28 | 2008-08-28 | Authenticating method and equipment based on user identification module of personal handy phone system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810214603.6A CN101662768B (en) | 2008-08-28 | 2008-08-28 | Authenticating method and equipment based on user identification module of personal handy phone system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101662768A CN101662768A (en) | 2010-03-03 |
| CN101662768B true CN101662768B (en) | 2013-06-19 |
Family
ID=41790459
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810214603.6A Expired - Fee Related CN101662768B (en) | 2008-08-28 | 2008-08-28 | Authenticating method and equipment based on user identification module of personal handy phone system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101662768B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8842833B2 (en) * | 2010-07-09 | 2014-09-23 | Tata Consultancy Services Limited | System and method for secure transaction of data between wireless communication device and server |
| CN102752269B (en) * | 2011-04-21 | 2015-10-07 | 中国移动通信集团广东有限公司 | Based on the method for the authentication of cloud computing, system and cloud server |
| WO2012136160A2 (en) * | 2012-06-01 | 2012-10-11 | 华为终端有限公司 | Method, user equipment and wireless router device for wifi communications |
| KR101639541B1 (en) | 2012-09-24 | 2016-07-13 | 알까뗄 루슨트 | Triggering user authentication in communication networks |
| CN105282113A (en) * | 2014-07-18 | 2016-01-27 | 鸿富锦精密工业(深圳)有限公司 | Network conversation method and system |
| CN106161359B (en) * | 2015-04-02 | 2019-09-17 | 阿里巴巴集团控股有限公司 | It authenticates the method and device of user, register the method and device of wearable device |
| US11019037B2 (en) | 2016-03-15 | 2021-05-25 | Dialog Semiconductor B.V. | Security improvements in a wireless data exchange protocol |
| US10701514B2 (en) | 2016-03-15 | 2020-06-30 | Dialog Semiconductor B.V. | Determining the distance between devices in a wireless data exchange protocol |
| CN106162641B (en) * | 2016-07-25 | 2019-10-11 | 中电福富信息科技有限公司 | A kind of safe public WiFi authentication method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1259811A (en) * | 1998-05-07 | 2000-07-12 | 朗迅科技公司 | Method and device used for secret in communication system |
| CN1320344A (en) * | 1999-08-16 | 2001-10-31 | 诺基亚网络有限公司 | Authentication in a mobile communication system |
| CN1341338A (en) * | 1999-02-22 | 2002-03-20 | 格姆普拉斯公司 | Authentication in radiotelephone network |
| CN1756428A (en) * | 2004-09-30 | 2006-04-05 | 华为技术有限公司 | Method for carrying out authentication for terminal user identification module in IP multimedia subsystem |
-
2008
- 2008-08-28 CN CN200810214603.6A patent/CN101662768B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1259811A (en) * | 1998-05-07 | 2000-07-12 | 朗迅科技公司 | Method and device used for secret in communication system |
| CN1341338A (en) * | 1999-02-22 | 2002-03-20 | 格姆普拉斯公司 | Authentication in radiotelephone network |
| CN1320344A (en) * | 1999-08-16 | 2001-10-31 | 诺基亚网络有限公司 | Authentication in a mobile communication system |
| CN1756428A (en) * | 2004-09-30 | 2006-04-05 | 华为技术有限公司 | Method for carrying out authentication for terminal user identification module in IP multimedia subsystem |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101662768A (en) | 2010-03-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101662768B (en) | Authenticating method and equipment based on user identification module of personal handy phone system | |
| CN110557751B (en) | Authentication based on server trust evaluation | |
| CN101150594B (en) | Integrated access method and system for mobile cellular network and WLAN | |
| US8265599B2 (en) | Enabling and charging devices for broadband services through nearby SIM devices | |
| CN102111766B (en) | Network accessing method, device and system | |
| CN103841560B (en) | Strengthen the method and apparatus of SIM card reliability | |
| CN101534531B (en) | A network switching method and system | |
| US9253638B2 (en) | Single card multi-mode multi-operator authentication method and device | |
| US20090265775A1 (en) | Proximity Based Authentication Using Tokens | |
| US20060023682A1 (en) | Wireless communication network, wireless terminal, access server, and method therefor | |
| CN105491093B (en) | Method, server, wireless access point and the terminal that terminal authentication, network access | |
| EP2676464B1 (en) | Seamless wi-fi subscription remediation | |
| US20080294891A1 (en) | Method for Authenticating a Mobile Node in a Communication Network | |
| CN106105134A (en) | Improved end-to-end data protection | |
| CA2777098C (en) | Using a first network to control access to a second network | |
| US20130109351A1 (en) | Authentication system, authentication method and authentication server | |
| CN101711022A (en) | Wireless local area network (WLAN) access terminal, WLAN authentication server and WLAN authentication method | |
| CN105898733A (en) | Machine changing method and device based on eSIM card, mobile terminal and server | |
| US20030191939A1 (en) | System and method for authentication in public networks | |
| CN101330718A (en) | Single/double mode hand-hold terminal and implementing method thereof | |
| US8635667B2 (en) | Electronic apparatus and terminal | |
| US20090037979A1 (en) | Method and System for Recovering Authentication in a Network | |
| CN104754689B (en) | home gateway access management method and system | |
| CN103138935A (en) | Identity authentication system based on telecom operators | |
| WO2006079953A1 (en) | Authentication method and device for use in wireless communication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130619 Termination date: 20160828 |